Project

General

Profile

Actions

Bug #12927

open

OpenVPN with OCSP enabled allows connections with revoked certificates

Added by Danilo Zrenjanin about 2 years ago. Updated 9 months ago.

Status:
Incomplete
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

OpenVPN doesn't honor certificate validity status against the site listed in the OCSP URL field.

See:
https://redmine.pfsense.org/issues/11830

Konstantin Panchenko wrote in #note-11:

    This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above.
    https://www.php.net/manual/en/function.exec.php

I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.
Actions #1

Updated by Jim Pingle almost 2 years ago

  • Target version deleted (22.01)
Actions #2

Updated by Chris Linstruth about 1 year ago

OCSP is not checked at all if certificate depth checking is disabled.

openvpn.inc does not place tls-verify into the server configuration at all in that case.

Was that the case here?

Actions #3

Updated by Jim Pingle about 1 year ago

  • Target version set to 2.7.0
  • Plus Target Version set to 23.05
Actions #4

Updated by Jim Pingle 11 months ago

  • Plus Target Version changed from 23.05 to 23.09
Actions #5

Updated by Jim Pingle 9 months ago

  • Status changed from New to Incomplete
  • Target version deleted (2.7.0)
  • Plus Target Version deleted (23.09)

Looks like we need more info here or some reliable way to reproduce the problem. There was no response to our last inquiry here.

Actions

Also available in: Atom PDF